Cryptography is the art and science of keeping messages secure. Cryptographic protocols enable parties to securely exchange information on a communications network. Cryptographic protocols typically involve the use of “keys”, which are a string of bits used by algorithms for encrypting and decrypting information exchanged between parties. There are several resources available on the topic of cryptography, including, but not limited to, Applied Cryptography, 2d. Ed.; Protocols, Algorithms and Source Code in C, by Bruce Schneier, published by John Wiley & Sons, Inc., 1996.
“Authenticated Key Exchange” (AKE) is a general term for encryption protocols that allow two parties to exchange keys based on authentication of one of the parties by the other, or mutual authentication of each party by the other. When an AKE protocol bases authentication on a password, it is called a “Password-Based Authenticated Key Exchange” (PB-AKE or PBAKE).
Because passwords are typically weak—that is, they have low entropy in order to be easily remembered and all too often employ common words or obvious variants on common words—PB-AKE protocols should be designed to withstand off-line dictionary attacks in the event that a message exchange is visible to eavesdroppers. In general, such protocols should be “zero-knowledge”; that is, not only should it not be possible to mount a dictionary attack based on a single message exchange, but also each message exchange should not leak information about the password such that viewing multiple message exchanges would make it possible to succeed in a dictionary attack.
Additionally, a PB-AKE protocol should be made secure against active attack. That is, a party without knowledge of the password must not be able to gain such knowledge merely by participating in one or more protocol exchanges. Nor should an attacker be capable of completing the exchange successfully and acquiring a key without knowledge of the password. Additionally, it should not be possible to mount a man-in-the-middle attack, in which the message exchange flows through the attacker, who modifies messages in a manner that allows the attacker to acquire knowledge of either the password or resulting key.
There are generally two approaches to creating PB-AKE protocols. One is to hide the protocol within an encrypted tunnel based on the strong public key of one of the parties. This approach presumes a prior authentication of the party holding the strong public key; that is, one party must have the information necessary to trust the public key of the other. This information may, for example, be in the form of a trusted certificate attesting to that public key. While this approach has certain advantages, its limitation is that knowledge of the password itself is not sufficient to enable the protocol to operate.
The second approach is to use strong cryptography in the PB-AKE itself, relying on only knowledge of the shared password by both parties to enable the protocol to operate. Two known protocols that take this approach are the Encrypted Key Exchange (EKE) protocol and the Simplified Password-Authenticated Exponential Key Exchange (SPEKE) algorithm.
For PB-AKE exchanges, it may be desirable that one of the parties in the key exchange has only indirect knowledge of the password that is sufficient to allow it to participate in a PB-AKE exchange, but not sufficient to allow it to pose as an actual password-holder. For example, it may be desirable to allow a user to authenticate and exchange keys with a central server, but to avoid storing actual passwords in the server's database, lest that database be stolen or revealed.
Some known protocols, such as EKE and SPEKE, describe how indirect or derivative password information may be used by either party in the key exchange. However, these key exchange protocols must be “augmented” in order to allow the party with indirect password knowledge to confirm that other party has direct knowledge of the password. Otherwise, a central server or an attacker with access to the central server's password database would be able to pose as a user. These augmented exchanges involve additional strong cryptography beyond the key exchange itself.